review: D6 leak scan extended to recipe-CI build logs — clean (no app-secret leak)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
10
REVIEW.md
10
REVIEW.md
@ -226,3 +226,13 @@ running bridge + Drone:
|
||||
Verdict: **M3 PASS.** (Polling is outbound read+comment only — no repo-admin; webhook optional.)
|
||||
Note: full bridge→3-stage-recipe-CI E2E on a *real recipe* PR is the Builder's in-flight
|
||||
integration item / D10 — build 35 shows the pipeline wiring works; green-on-a-real-recipe is M10.
|
||||
|
||||
## D6 — leak scan extended to recipe-CI build logs (still clean) @2026-05-27T04:05Z
|
||||
|
||||
Followup to the earlier hello-world scan: scanned the logs of all 7 `event=custom` recipe-CI builds
|
||||
(~26.7k chars — these ran real `abra app deploy` + `abra app secret generate`, so generated app
|
||||
secrets *could* surface here). Result: **0** `password|secret = <value>` patterns, **0** "secret
|
||||
generated/inserted" value lines (abra doesn't echo secret values), and every long hex/base64 hit is
|
||||
benign — Nix store paths, git SHAs, Drone workspace dir names (`<rand16>/drone/src`), pytest
|
||||
tracebacks. No app-secret leak in published recipe-run logs. (Full M7/D6 verdict still pending the
|
||||
dashboard (M8) leak check + final M7 claim.)
|
||||
|
||||
Reference in New Issue
Block a user